Security Enhancements (Database Engine)

Security enhancements in the Database Engine include new encryption functions, the addition of the transparent data encryption, auditing, and the extensible key management features, and a clarification of DES algorithms.

Encryption Functions

The following new functions are useful when you are encrypting objects: is_objectsigned, asymkeyproperty, symkeyproperty, CRYPT_GEN_RANDOM, KEY_NAME, and sys.fn_check_object_signatures.

Transparent Data Encryption

Transparent data encryption (TDE) introduces a new database option that encrypts the database files automatically, without needing to alter any applications. This prevents unauthorized users from accessing a database, even if they obtain the database files or database backup files. For more information about database encryption, see Understanding Transparent Data Encryption (TDE).

Extensible Key Management

The extensible key management (EKM) feature allows third-party enterprise key management and hardware security module (HSM) vendors to register their devices in SQL Server. Once registered, SQL Server users can use the encryption keys stored on these modules, as well as leveraging the advanced encryption features that these modules support, such as bulk encryption/decryption and many key management functions such as key aging and key rotation. This feature also allows data protection from database administrators (except members of the sysadmin group). Data can be encrypted and decrypted using Transact-SQL cryptographic statements, and SQL Server uses the external EKM device as the key store. For more information on extensible key management, see Understanding Extensible Key Management (EKM).

Clarification Regarding DES Algorithms

The DES algorithm names are clarified and TRIPLE_DES_3KEY is now available. For more information, see CREATE SYMMETRIC KEY (Transact-SQL).

Deprecation of the RC4 Algorithm

The RC4 algorithm is deprecated. This feature will be removed in a future version of Microsoft SQL Server. Do not use this feature in new development work, and modify applications that currently use this feature as soon as possible. Use another algorithm such as AES. For more information, see CREATE SYMMETRIC KEY (Transact-SQL).

Auditing

SQL Server Audit is a new feature of SQL Server 2008 that lets you create customized audits of Database Engine events. SQL Server Audit uses extended events to record the information for the audit and provides the tools and processes that you must have to enable, store, and view audits on various server and database objects. For more information, see Auditing (Database Engine).